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(54) Method and apparatus for Incremental delivery of access rights 



(57) Incremental delivery of authenticated access 
rights to an access control processor is provided. Sub- 
groups of the access rights are communicated to the 
processor in a plurality of messages. The subgroups are 
stored in different data banks within the processor, and 
validity designations associated with the data banks indi- 



cate whether the data currently stored therein has been 
authenticated under a cryptographic key currently in use. 
Access under a particular key is limited to that provided 
by access rights oonta'ned in storage banks having a 
validity designation in a vaM state for that key 
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Description 

BACKGROUND OF THE IMVgMTinM 

The present iiwentron relates generally to securrty s 
apparatus for information processing systems, and more 
particularly to the incremental delivery of authenticated 
access rights to an access control processor. The inven- 
tion is particularly useful in connection with the secure 
transmission of premium television services via satellite to 
or cable, but is not limited to such applications. 

There are many schemes available for controlling 
access to electronic signals, such as those providing pre- 
mium television services. Such schemes are necessary 
to maintain security, for example in subscription televi- is 
sion systems such as cable television and satellrte tele- 
vision systems. Typically, a system subscriber is 
provided with a decoder connected between a television 
signal source (e.g., cable feed or satellite receiver) and 
a television set Each subscriber's decoder Is remotely 2o 
accessed by the system operator to enable or disable 
the receipt of specific services such as the Home Box 
Office (HBO) movie channel or special pay-per-view 
sports events. One problem with such system Is that , , 
"pirates" may attempt to break the system security and 25 
sell 't)lack boxes" that enable the reception of all pro- 
gramming without paying for the services received. It has 
been difficult and axpensiva for system operators to con- 
tend with the piracy problem. 

' Various systems have been designed to make piracy 3o 
more difficult. One such system is disclosed in US. pat- 
ent no. 4,613.901 to Qilhousen, et al. entitled "signal 
Encryption and Distribution System for Controlling 
Scrambling and Selective Remote Descrambling of Tel- 
evision signals." In the Qilhousen, el sd. scheme, various ss 
cryptographic keys are used to provide an encrypted tel- 
evision signal. Among the keys described are category 
keys, each common to a different aibset of subscriber 
decoders. It is also known to provide program keys, in 
which each television program has a specific key asso- <o 
dated therewith that is necessary to descramble or 
decrypt the p£Ulicular program signal. 

U.S. patent 5,115,467 to Esserman, et al. entitled 
"Signal Encryption Apparatus for Generating Common 
and DistinctKeys"alsodealswlththesecurlty issue: The 4S 
generation of various different types of keys and their use 
is disdosed in the patent. 

An example of a prior art communication system 
using encrypted category keys and program keys is the 
VideoCipher® ll<f scrambling system produced and so 
licensed by General Instalment Corporation of San 
Diego, Cafifbmia to provkla encrypted satellite television 
communication. The encrypted category key is derived 
from a category key, a unit key spedftc to a subscriber 
decoder, and access rights defining which sendees the ss 
particular subscriber is entitied to receive. The access 
rights are authenticated in the category key, which gen- 
erally changes monthly. 



In the VtdeoCtpher Ik system, and other known sys- 
tems, it has been necessary to provide the authenticated 
access rights with the encrypted category key in a single 
"category rekey" messaga The access rights may be 
many bytes in length. Each category rekey message has 
a limited length. For example, category rekey messages 
in a particular system may be limited to two hundred 
bytes. Such limitations are typically required by the size 
of the buffer (e.g. RAM) which receives the message in 
the access control processor. If the number of bytes 
required to define access rights were to become too 
large, a single category rekey message could not hold 
the full description. 

It would be advantageous to provide an access con- 
trol system in which access rights can be delivered incre- 
mentally, in more than one category rekey message. It 
wouki be further advantageous to provide such a system 
that wouki operate even after only a partial set of access 
rights has been received. It would be still further advan- 
tageous to provide such a system that can receive partial 
sets of access rights in any order, without adversely 
affecting system operation. 

The present invention provides a system for incre- 
mentally delivering access rights having the aforemen- 
tioned and ottier advantages. 

SUMMARY OF THE INVENTION 

In accordance with the present irtvention, a method 
is provided for inaementally delivering authenticated 
access rights to an access control processor. Data defin- 
ing the access rights Is divided into a plurality of sub- 
groups. The SLi3groups are transmitted to the processor 
as authenticated data in a plurality of messages. A cur- 
rent cryptographic key is derived using the authenticated 
data contsu'ned in a current message upon receipt of that 
message by the processor. Each of the subgroups is 
stored in a conresponcGng storage bank of the processor. 
Each,»of the storage banks has a validity designation 
associated therewith for said cryptographic key. The cur- 
rent cryptographic key is compared to a cryptographic 
key from a prior message under which sut)groups stored 
in the storage banks were autitenticated to determine if 
the keys match. If the keys match, the validty designation 
for that key Is set to a valkl state for each storage bank 
that is storing data authenticated by the current mes- 
sage, without changing the key's validity designation for 
any other storage bank. If the keys do not match, the 
validity designation for that key is set to a valid state for 
each storage bank that is storing data authenticated by 
the djn-ent message, and the validity designation for that 
key is set to an invalid state for all other storage banks. 
As used herein, the act of setting a vaTtdity designation 
to a valid state is intended to include the act of simply 
maintaiiting or leaving unchanged a validity designation 
that IS already in the )^id stete. Likewise, setting a valid- 
ity designation to an invalid state may only require that a 
prior invaiki state be maintained without actually reset- 
ting the validity designation. Access (e.g. to particular tel- 
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evision programs) under the current cryptographic key is 
limited to that provided by access rights contained in 
storage banks having a valtdity designation in a vafid 
state for that key. 

tn one implementation of the present invention, first 5 
and second different cryptographic keys under which 
access rights are authenticated are maintained by the 
access control processor at the same tima Each of the 
storage banKs is provided with a first validity designation 
for the first key and a second validity designation for the io 
second key. Access via a particular one of the keys is 
limited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

One or more of the plurality of messages can canry is 
a replacement for one of the first and second keys, 
together with one or more subgroups authenticated 
under the replacement key. Each of the subgroups trans- 
mitted with the replacement key Is stored in a corre- 
sponding one of the storage banks. The validity 2o 
designation tor the replacement key is set to a vafid state 
for those storage banks holding a sut)group authenti- 
cated under the replacement key. The validity designa- 
tion for the replacement key is set to an invalid state for 
those storage banks holding a subgroup that was not 25 
authenticated under the replacement key. The validity 
designation for the key that was not replaced will remain 
unchanged for those storage banks holding a suk>group 
authenticated under that key. The validity designation for 
the key that was not replaced Is set to an invalid state for ao 
those storage banks holding a subgroup that was not 
authenticated under that key. The message carrying the 
replacement key can also canry a duplicate of the key 
that was not replaced. In a preferred embodiment, 
replacement keys are transrrtitted on a periodic basis. 35 
For axanrple. a new "category key" for use during the next 
month can be transmitted while the category key for the 
current worth is still maintained by the access control 
processor. 

The present inventnn also prpvkies an access con- 4o 
trol processor for incrementally receiving authenticated 
access rights. The access control processor includes 
means for receiving a plurality of messages containing 
subgroups of access control data deTtning the access 
rights. Mearis are provided for deriving a cryptographic 4S 
key using the authenticated data contained in a current 
one of the messages upon receipt of that message. A 
plurality of storage banks \s provided for storing different 
ones of the subgroups. Each of the storage banks has a 
validity designation associated therewith for the crypto- so 
graphic key. A comparator is provided for comparing the 
cryptographic key to a cryptographic k^ under which 
data contained in the storage banks was authenticated 
to determine if the keys match. Means responsive to the 
comparing means set the validity designation for the key ss 
to a valid state for each storage bank that is storing data 
authenticated by the current message, without changing 
the vaiidity designation of any other storage banK if the 
keys nutch. Means responsive to the comparing means 



set the vaTtdity designation for the key to a valid state for 
each storage bank that is storing data authenticated by 
the current message, and for setting the validity desig- 
nation for that key to an invalid state for all other storage 
banks if the keys do not match. Access under the ayp* 
tographic key is limited to that provided by access rights 
contained in storage bante having a validity designation 
in a valid state for that key. 

The processor can maintain first and second differ- 
ent cryptographic keys under which access rights are 
authenticated. A first valtdity designation is maintained 
for the first key and a second validity designation is main- 
tained for the second key for each of the banks. Access 
via a particular one of the keys is limited to that provided 
by access rights contained in storage banks having a 
validity designation in a valid state for that key. 

A replacement can be provided for one of the first 
and second keys together with one or more sut)groups 
authenticated under the replacement In such an embod- 
iment the apparatus of the present invention further 
comprises means for storing each of the subgroups 
transmitted with the replacement key in a con'esponding 
one of the storage banks. Means are provided for setting 
the validity designation for the replacement key to a valid 
state for those storage banks holding a subgroup authen- 
ticated under the replacement key. Means are provided 
for setting the validity designation for the replacement 
key to an invalid state for those storage banks holding a 
subgroup that was not authenticated under the replace- 
ment key. Means are also provkied for setting the validity 
designation for the key that was not replaced to an invalid 
state for those storage banks holding a new subgroup 
that was authenticated under the replacement key and 
differs from the previous subgroup stored in that storage 
bank. 

BRIEF DESCRIPTION OF THE DRAWINGS 

/ Rgure 1 is a block diagram of an access control 
processor in accordance with the present invention; 
. ^figure 2 is a block diagram illustrating, iri simplified 
form, an exarrple of a key hierarchy that can be used 
by an uplink processor to provide cryptographically 
secure data for transmission; 
Figure 3 is a block diagram illustrating, in simplified 
form, an example of a key hierarchy that can be used 
for decryption of the ayptographically secure data 
. at a decoder; 
Figures 4a to 4c are diagrammatic illustrations used 
to show how access rights are incrementally distrib- 
^ uted in axordance with the present invention; ^ 
Figures 5a to, 5b Illustrate, in diagranrviuttic form, a 
further example of the invention in which a plurality 
of different cryptographic keys are maintained under 
which access rights are authenticated and distrib- 
uted incrementally; 

Figures 6a to 6b illustrate an exannple in which a 
r^lacement category key Is provided with no . 
change in access rights: and 
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Rgures 7a to 7c iDustrate an example tn which two 
different subgroups of access rights are incremen- 
tally deli vered and auth^cated under two category 
keys. 

DETAILED DESCRIPTION QF THE INVENTIQN 

Figure 1 illustrates a secure access control proces- 
sor that can be used, tor example, to receive and deaypt 
digital television signals in accordance with the present 
invention. The signals to be decrypted are biput via ter- 
minal 1 0 to a decryptor 20. The decryptor receives work- 
ing keys necessary to decrypt the input data from a 
processor. The processor addresses memory 16 in a 
conventional manner, in order to store various data 
including deaypted keys, access rights and validity des- 
ignations as descried in more detail below. Encrypted 
keys are input to the processor 1 4 via terminal 1 2. A com- 
parator 22 is provided in accordance with the present 
Invention in order to conopare a newly derived key with a 
prior key stored in memory 16, This comparison is used 
in order to set the state of the validity designations men- 
tioned above. 

Figure 2 describes, In simplified form, a key hierar- 
chy that can be used for key enayption, e.g.. at a satellite 
uplink. A unit key which is spedf ic to a particular sub- 
scriber decoder is input via terminal 30 to an exdusive 
OR (XOR) function 31 which also receives access rights 
via terminal 321 Access control involves defining, on a 
uriit by unit basis, the access rights granted to that par- 
ticular unit. Access rights are authenticated in a 'cate- 
gory key," which changes periodk^Ily, for example on a 
monthly basis. Each program, which represents a time 
slice from one service such as HBO, defines specific 
"access requirements" which must be present in order 
to grant the right to decrypt that program. The access 
requirements are authenticated in a "program ke/ which 
is valid for the duratk)n of the program. An access control 
processor regularly receives "category rekey" messages 
defining its set of access rights. 

The unit key for a particular subscrber decoder is 
derived from quantities stored in a secure random 
access memory (RAM) at the time the access control 
processor within the decoder is manufactured. 

The access rights Input via terminal 32 are also 
XOR'ed via XOR 38 with a category key input via termi- 
nal 34 and encrypted in a first encryption circuit 36. As 
indicated above, the category key is changed on a peri- 
odic basis. One specific category key is delivered, in an 
encrypted form, to a subset of the full population of 
decoders. The operation used to encrypt the category 
key is invertible. The property of invwtability plus knowl- 
edge of unit keys allows a system operator to prepare an 
encrypted category key that will VesuK in a desired cate- 
gory key. ' 

As shown in Figure 2, the encrypted category key is 
provided by an encryption drcurt 40 that receives the out- 
puts of XOR's 31 and 38 as inputs. Thus, the encrypted 



category key is dependent on the unit key and category 
key and authenticates the access rights. 

The encoder also provides an encrypted program 
pre-key that is required by the decoder in order to derive 
5 the program key for the progranx The program pre-key 
is input via terminal 42 to an encryption circuit 44 that 
encrypts the program pre-key under the category key to 
provide the encrypted program pre-key. 

The program pre-key is also input to a one-way func- 
10 ton 48 which receives the access requirements for the 
particular program via tenminal 46. The one-way function 
combines the program pre-key and access requirements 
to provide the program key necessary to generate work- 
ing keys via a working tey generator 50, in a conventional 
IS manner. Working keys are simply keys that vary with 
time, dependent upon the program key. Minimizing re- 
use, of working keys throughout a program defends 
against certain cryptographic attacks. The wortdng key 
is applied as an initializing key to decrypt the digital data 
20 comprising the digital service being access controlled. 
Such decryption typically uses a cipher-btock-chaining 
(CBC) approach. 

Rgure 3 illustrates an example of a key hierarchy 
that can be used for the decoder processing at the cat- 
25 egory and program key levela The access rights input 
via terminal 54 are XOR'ed in an XOR 56 with the unit 
key for the particular decoder input via terminal 52. The 
result is input to a decryption circuit 58 which receives 
the XOR of the access rights and the output of a decryp- 
30 tion circuit 62. Thedecryption drcuit 62 partially decrypts 
the encrypted category key received via terminal 60. 
Assuming that the access rights and unit key match 
those values used in the encryption process, the output 
of deayptton circuit 58 will be the same category key that 
was encrypted. 

The recovered category key is used to decrypt the 
encrypted program pre-key input via terminal 66 to 
decryption circuit 68. This provides tfie program pre-key 
for ir\put to one-way function 72. The access require- 
ments for the program to which the program pre-key cor- 
responds are input to one-way function 72 via terminal 
70. This enables the program key to be recovered for use 
by working key generates 74 in generating the working 
keys necessary to decipher the program. 

In practice, the access rights and access require- 
ments data blocks may be many bytes in length. Thus, 
the XOR, decrypt/encrypt and one-way function opera- 
tions will typically be cascaded and r^eated enoi^h 
times in an actual implementation so ttiat all data is fac- 
tored in. For example, the data blocks may have eight- 
byte data and severi-byte keys or n^y embody other 
cryptographic algorrthms, as desired: The use of eight- 
byte daU blocks and seven-byte keys is conventional in 
the Data &icryption Standard (DES) algorithm, details 
of which can be found in Federal Information Processino 
Standards Publication 46 (TlPSPub. 46") issued by the 
National Bureau of Standards. U.S. Department of Com- 
merce, 'Announcing The Data Encryption Standard," 
January 15, 1977 and FIPS Pubi 74, 'CUjidelines for 
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Implementing and Using the NBS Data Encryption 
Standard." April 1,1981. 

When the number of b/tes required to define access 
rights becomes large enough, one single category rekey 
message cannot hold the fuD descr^on. The fimttation 5 
on category rekey length may be, for example, two hun- 
dred bytes. The present invention overcomes this mes- 
sage length limitation by delivering the access rights in 
an incremental manner. More particulariy. the present 
inv&ition breaks access rights down into a plurality of io 
data subgroups stored in t^ante." Each instance of the 
category rekey message carries one or more si^roups, 
up to the limitation of the length of the message. Each 
subgroup is stored in a respective bank in secure RAM 
in the access control processor along with at least one is 
Vdidfty bit", used by the access control processor to 
keep track of the state of the bank When the validity bit 
is set to a \alid" state (e.g.. validity bit set), it indicates 
that the bank holds data that can be used to match 
access requirements and grant authorization. When the so 
valicGty bit is set to an Invalid" state (e.g. vaOdity bit 
dear), it indicates that the data in the bank cannot be 
used to grant authorization. 

Whenever a category rekey message arrives in the 
access control processor, it is processed as follows: 25 

1 . The category key is derived; 

2. If the category key matches the previously deliv- 
ered category key exactly, then any bante authenti- 

. cated in the derivation of the current category key so 
are marked valid and the validity bits associated with 
banks not involved in the derivation are left 
unchanged. \, , . 

3. If the caXegmy key does not exactly rnatch the pre- 
viously delivered category key. then any banks ss 
authenticated in the derivation of the current cate- 
gory key are nuurked valid, but validity bits associ- 
ated with any banks not involved in the derivation 
are set to the invalid state. The new category key is 
stored. . , ^ 

This process enables the incremortal delivery of 
access rights, while retaining ayptographic security in 
the authentication of the access rights data delivered. A 
key element of thelnventive approach Is that If the cunrent 4S 
category key axactiy matches the previous category key, 
the bante previously authenticated under the previous 
key and validated can remain validated. In this nrianner. 
later messages effectively build upon prior messages. 

Since any changes to access rights will affect the so 
resulting derivation of the category key. any attempt to 
tanper with the content of one's access rights data in 
order to steal services a pirate attad^ will prevent 
a key match from occurring. Thus, the prior banks' data 
will become invalid upon derivation of the incorrect cat- ss 
egory key. 

The data labeled as "access rights" In Rgures 2 and 
3 does not have to exactty comprise the access rights 
data ultimately stored in secure memory. The actual data 



validated may be the instructions used to define the data 
as it will be stored. The category rekey message may 
deliver data structures which include control bytes indi- 
cating the format of data blocks to fdlow. The control byte 
nrBy. for example, indicate that the bank indicated by the 
preceding fiekt is to be cleared to zero, or that the bank 
data to follow is a list of bits to be set rotead of a bit 
mask. Given that ttie control bytes and parameters are 
authenticated, the result of the expansion or processing 
of the instructions is also authenticated. 

Figures 4a to 4c illustrate an example in which 
access rights data are delivered tncrementalty in accord- 
ance with the present invention. In the initial state illus- 
trated by Figure 4a. the access control processor holds 
access rights data in two banks 82. 86. Each bank has 
a validity designation 84, 88 respectively, associated 
therewith. In the initial state, the valkiity designations for 
both banks are set to a valid state (V»1). The access 
control processor edso holds the key under which the 
access rights data is authenticated, namely, category 
key X stored in key store 80. 

Rgure 4b illustrates the delivery of a new category 
key and subgroup of access rights data via a category 
rekey message generally designated 90. The category 
rekey message includes an encrypted category key 92 
(encrypted category key Y) as well as subgroup 94 of 
new access rights data. The new category key is stored 
in key store 80 and the new subgroup of access rights 
data is stored in bank 82. Subgroup 94 is authenticated 
under, the new category key 92. Thus, when this sub- 
group is stored in bank 82. the validity designation 84 for 
bank 82 is set to (l-e., remains) valid. On the ottier hand, 
since the new category key (category key Y) does not 
match the prtor category key (category key X). the valid- 
ity designation 88 for bank 86 is set to an invalid state 
(VbO). This is necessary because the access rights data 
(access rights data A) currentiy stored in bank 86 has 
not been authenticated under the current category key 
(category key Y). 

Rgure 4c iDustrates a sUbsequerit delivery of new 
access rights data (i.e., subgroup 95) for storage in bank 
86. The new access rights data is provided by category 
rekay message 96, which carries the same encrypted 
category key 92 (patego^ key Y) ttet was carried by the . 
prevtous category rekey message 90 (Rgure 4b). Since 
sut}group 95 is authenticated under category key Y. 
which is stored in key store 80, the valkjity designation 
88 for bank 86 ts set to a valid state when subgroup 95 
is loaded into bank 86.' Since the result of derivation of 
the category key when authenticating subgroup 95 
resulted in the same category key (category key Y) that 
was already stored in key store 80, the valkjity designa- 
tion 84 for bank 82 is unchanged. The result is that both 
l>anto,are now authenticate^ under category k^y Y, even 
ttiough the access rights subgroups stored In the two 
banks were delivered separately. It is noted that ttie sub- 
groips 94 aruf 95 could have been'delivered in the oppo- 
site order, with the same end result 
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In a preferred embodiment the access control proc- 
essor holds two category key& One category key is used 
for a current time period (e.g. the current month) and the 
second is used for a subsequent time period (e.g., the 
following month). Two keys are required to provide a 
seamless transition across the month boundary Such an 
arrangement allows a system operator to predeliver next 
month's key without affecting the cun-ent month's trans- 
actions. In order words, a category key for a subsequent 
time period can be delivered without creating a period of 
time where one or more banks are invalidated during the 
delivery of the new key 

In accordance with the present invention, ttie main- 
tenance of two category keys with only a single set of 
banks is pern^tted by provkJing a second validity desig- 
nation for each bank. Each validty designation is asso- 
ciated witii p.e., "points" to) a specHic category key This 
can be accomplished, for example, either by quoting the 
sequence number of the category key or by using an 
even/odd parity schema 

In a dual key implementation, the processing rules 
are refined to accommodate tiie validation bytes for 
banks already validated by one key when the second key 
arrives. The category rekey message in such implemen- 
tations may treat a bank in one of three ways. In partic- 
ular, the bank may be redefined by the category rekey 
message, it may be uninvolved in the authentication 
processing of the message, or the banknmy be assumed 
to be unchanged from a definition received pre/iously. 
but authenticated in the derivation of tiie new category 
key. In the later case, the data in the bank is involved in 
the encryption/decryption of the category key. but the 
actual data in the bank is not included in ttie messaga 

Examples for tiie incremental delivery of access 
rights where two keys are hekl by the access control 
processor are illustrated in Figures 5a. 3b\ 6a. Q); and 
7a. 7b. 7c. Rgures 5a and 6a each illustrate ttie same 
initial conditions, in which an even category key 1 00 (cat- 
egory key X) and an odd category key 102 (category key 
W) are present in ttie access control processor. A first 
bank 104 holds a first subgroup of access rights. Iwo 
validitydesignationsareassociated wittittiisbank. Valid- 
ity designatiori 106 pertains to information authenticated 
under ttie even key Validity designation 108 pertains to 
infonnation authenticated under the odd key. A second 
bank 1 1 0 holds a second subgroup of access rights. The 
second bank is associated witti validity designations 1 1 2 
and 1 14. Valicfity designation 1 12 pertains to infomiation 
auttienticated under ttie even key and validity designa- 
tion 1 14 pertains to information auttienticated under the 
odd key. In tfie initial state, aD four validity designations 
are set to a valid state (VbI). 

In Rgure 5b, a category rekey message 120 is 
received which includes a new encrypted category key 
1 22 (category key Y) and a new subset of access rights 
1 24 to be stored in the first bank. Upon receipt of a cat- 
egory rekey message containing a single category key, 
as illustrated in Rgure 5b, ttie category key is first derived 
by decrypting ttie encrypted category ke^ as illustrated 



in Figure 3. The resultant category key is stored in cate- 
gory key store 102. The validity designation for each 
bank redefined or authenticated by the new category key 
stored in category key store 102 is set to a valid stata It 
5 is noted that any bank which is redefined by a category 
rekey message is also authenticated under ttie keys car- 
ried by ttiat messaga 

For each bank redefined by a. new category rekey 
message, ttie vafidity designation tor the other category 
10 key 0.e., the category key ttiat is not contained in ttie cat- 
egory rekey message) is set to an invalid state. Thus, in 
Figure 5b ttie validity designation 106 for ttie category 
key ttiat is not contained in ttie category rekey message 
Ci.e., "even" category key X stored in key store 1 00) is set 
15 to ttie invalid state (VfsO). Validity designation 1 08 is set 
(i.a. maintained) in a valid state since the "odd* key (cat- 
egory key Y stored in key store 102) was provkied by ttie 
category rekey message and is ttie key under wNch ttie 
new access rights stored in ttief irst bank 1 04 are auttien- 
ticated. 

In ttie event that the newly derived category key 
does not exactiy match the prevk)us value for that key 
(i.e. . if a new even key does not match the prbr &fen key 
or if a new odd key does not match ttie prior odd key), all 
validity designations associated with ttiat key are set to 
an invalid state, except for ttiose banks that are redefined 
and auttienticated or simply auttienticated by the new 
category key provided by ttie category rekey message. 
It should be noted ttiat ttie validity designations associ- 
ate4 witti ttie ottier category key are unchanged for any 
banks authenticated but not redefined in the present 
message. Thus, in Figure 5b, after ttie receipt of a new 
odd category key (category, key Y) under which the 
access rights stored in ttie first bank 104 are auttienti- 
cated, ttie validity designations 106 and 1 14 will be set 
to an irivalki state while ttie validity designations 108 and 
1 12 will remain in a valid state. More particularly, access 
designation 106 is set to an invalid state because ttie 
eveakey (category key X) was not used to auttienticate 
ttie access rl^ts stored in first bank 1 04. Valkiity desig- 
nation 1 14 is set to an invalid state because the access 
rights stored in second bank 1 10 were not auttienticated 
urxjer the new odd key (category key Y). 

In the example illustrated by Figures 6a and 6b, a 
new odd category key 122 is provided by ttie category 
rekey message .125 ^wittiout any change in the access 
rights. In ttiis case, botti banks are reauttienticated in ttie 
delivery of ttie odd category key. Thus, the validity des- 
ignations 108 and 1 14 for ttie odd key remain in a valid 
state. Since no banks were redefined, ttie valklity desig- 
nations 106, 1 12 for the even key are also mchanged 
from ttie initial conditions illustrated in Figure 6a. 

In order to avoid disruptk>n of a current montti's 
auttiorization if any banks are redefined during delivery 
of the next montti*s key, botti keys must be delivered In 
the category, rekey messaga An example of this is 
shown in Figures 7a through 7c. Rgure 7a shows ttie 
same initial conditions illustrated in Rgure 6a. 
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Whenever two keys are present in the category 
rekey message, the authenticated data used in the 
encryption is conunon to both keys. In other words, the 
first key cannot be defined to authenticate one bank with 
the second key authenticating the second bank. If two s 
banks are redefined, both keys must authenticate both 
banks. 

Upon receipt of a category rekey message contain- 
ing encrypted odd and even category keys, one of the 
keys (e.g.. the even key) is first d^ed. The validity des* io 
tgnations corresponding to the derived key are then set 
to a vafid state for any banks redefined or authenticated 
by the category rekey message. If the derived key does 
not exactly match the previous value of that key, then all 
of the validity designations associated with that key. is 
except for those banks redefined or authenticated there- 
under, are set to an invalid state. 

After the first category key has been derived and its 
corresponding validity designatk)ns have been set or 
cleared, the second key is derived. The validity designa- bo 
tions for any banks redefined or auhenticated in the cat- 
egory rekey message are then set to a valid state for the 
second key. The derived second key is then compared 
with the previous value of that key. and absent an exact 
match. aO of the validity designations associated with 2$ 
that key are set to an invalid state except for those banks 
redefined or authenticated in the current category rekey 
message. 

In the example of Figure 7b. two keys 132 and 134 . 
are delivered in category rekey message 130. together 30 
with new access rights data 136 for the first bank 104. 
Category key X (derived from encrypted key 132) is the 
key for the cunrent epoch (i.e.. the current month), and is 
therefore the same key that is already present in the 
access control processor and stored in key store 100. ss 
Category key Y, which is derived from the encrypted key 
134 in the category rekey message 130. is a new key for 
the next epoch and will overwrite the prbr category key 
Win key store 102. 

After processing the category rekey message 130. 4o 
the first bank 104. which stores the new access rights 
data 1 36. is vaGdated for both key parities, since the first 
bank was . red^ined in the message and authenticated 
uTKier t)oth the even and odd keya Thus, vaticfity desig- 
nations 106 and 108 are both set to a vafid state. The 45 
validation of the second bank 110 is imchanged for the 
even key. since category key X as d^ived from the cat- 
egory rekey message exactly matched the value already 
held. Validity designation 112 is therefore set to (i.e., 
remains in) a valid state. The second bank vaTtdation is & 
cleared for the odd key. since category key Y as derived 
from the category rekey message does not match the 
previous value of category key W held in the odd key 
store 102. Thus, vafidity designation 114 is set to an 
invalid stata . .. ^ 

In the example illustrated in Figure 7c a category 
rekey rnessage 140 arrives redefining the second bank 
1 10. The new category rekey message 140 immediately 
follows category rekey message 130 of Rgure 7b. After 



processing this message, all banks become validated for 
both keys. More particularly, the second bank 1 10 is val- 
idated for both key parities, since that bank was rede- 
fined in the message and authenticated under both keys. 
The validation of first bank 1 04 is unchanged for the even 
key. since category key X as derived matched the value 
already held in key store 100. Stmilariy. the validation of 
first bank 104 for the odd key is unchanged, since cate- 
gory key Y as derived from category rekey message 1 40 
exactly matches the previous value held in the odd key 
store 102. 

The final result of the delivery of the two category 
rekey messages as fllustrated in Rgures 7b and 7c is 
that both banks are now validated for the new category 
key (category key Y). The delivery of the two messages 
could have occun^ed in either order without affecting the 
outcome. Furthermore, both t>anks continued to be val- 
idated for the current month's key (category key X) during 
the delivery process. Thus, no interruption in sen^ice 
results from the incremental delivery of access rights in 
accordance with the present invention. 

It should now be appreciated that the present inven- 
tion provides a method and apparatus for Incrementally 
delivering authenticated access rights to an access con- 
trol processor. Data def ining the access rights is divided 
into a, plurality of subgroups which are incrementally 
delivered to an access control processor. Validity desig- 
nations are used to keep track of authenticated access 
rights that can be used for providing access to a partic- 
ular data stream. 

Although the invention has been described in con- 
nection with various illustrated embodiments, those 
skilled in the art will appreciate that numerous adapta- 
tions and modifications, may be made tha-eto without 
departing from the spirit.and scope of the invention as 
set forth in the claims. 

Claims 

1 . A method for incrementally delivering authenticated 
access rights to an access control processor, com- 
prising the steps of: 

dividing data defining said access rights into 
a plurality of sufc}groups; 

trsinsniitting said subgroups to said proces- 
jS9I3^. ^^^^.'^^^.^^^^ ^ plurality of messages; 
; deriving a current cryptographic key using the 
authenticated data contained in a current message 
upon receipt of that message by said processor; 

storing each of said subgroups in a coae- 
sponding storage bank of saki processor, each of 
said storage banks havirtg a validity designation 
associated therewith for said cryptographic key; 

comparing said current cryptographic toy to 
a cryptographic key from a prior message under 
which subgroups stored in said storage banks, were 
authenticated IQ deterniine if the keys nriatch; 

if said keys match, setting the validity desig- 
nation for that key to a valid ^te for each storage 
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bank that is storing data authent'cated by sakJ cur- 
rent message, wrthout changing that ke/s vaTidity 
designation for any other storage bank: and 

rf said keys do not niatch. setting the validity 
designation for that key to a valid state for each stor- 5 
age bank that is storing data authenticated by said 
current message and setting that key's validity des- 
ignation for all other storage banks to an invalid 
state; 

wherein access under the cunrent crypto- 70 
graphic key is limited to that provided tiy access 
lights contained in storage banks having a validity 
designation for that key in a valid state. 

2. A method in accordance with claim 1 wherein first is 
and second different cryptographic keys under 
which access rights are authenicated are main- 
tained by saki processor at the same time, said 
method comprising the further step of: 

providing each of said storage banks with a 20 
first validity designation for said first key and a sec- 
ond validity designation for said second key; 

wherein access via a particular one of said 
keys is limited to that provided by access rights con- 
tained in storage banks having a valklity designation zs 
in a valid state fa that key. 

3. A method in accordance with claim 1 or 2 comprising 
the further steps of: 

transnvtting a replacement for one of saidfirst 30 
and second keys in one of sakl messages together 
with one or more subgroups cujthentoited urider 
said replacement: 

storing each of the subgroups transmitted 
with said replacment key in a corresponding one of 3S 
sakl storage banks; 

setting the valkfrty designation -for the 
replacement key to a valkj state for those storage 
banks hokJing a subgroup authenticated under the 
replacement key; 40 

setting the validity designation for the 
replacement key to an invalid state for those storage 
banks hoUing a subgroup thaf 'ws^ not authenti- 
cated under the replacement key; and 

setting the validity designation for the key that 4S 
was not replaced to aninvaltd state for those storage 
banks holding a subgroup that was authenticated 
under the replacement key and differs from the pre- 
vious subgroup stored in that storage bank. 

50 

4. A method in accordance with daim 3 wherein the 
message carrying saki replacem&it key also carries 
a dupGcate (rf the key yi^ 1^ 

5. A method in accordance with any of claims 1 to 4 ss 
compnsing the further step of transmitting replace- 
ment keys on a periodic basis. 



6. An access control processor for incrementally 
receiving authenticated access rights, comprising: 

means for receiving a plurality of messages 
containing subgroups of access control data defin- 
ing said access rights; 

means for deriving a current ayptographic 
key using the authenticated data contained in a cur- 
rent one of said messages upon receipt of that mes- 
sage; 

a plurality of storage, bante for storing differ- 
ent ones of said subgroups, each of said storage 
banks having a validity designation assodated 
therewith for sakl ayptographic key; 

means for comparing said current crypto- 
graphic key to a cryptographic key under which data 
contained in said storage banks was authenticated 
to determine if the keys match; 

means responsive to said comparing means 
for setting the validity designation for the current 
cryptographic key to a vatid state for each storage 
bank that is storing data authenticated by said cur- 
rent message, without changing that ke/s validity 
designation for any other storage bank, if the keys 
match; and 

means responsive to said comparing means 
for setting the validity designation for the cunrent 
cryptographic key to a vaiki state for each storage 
bank that is storing data authenticated by said cur- 
rent message, and for setting that key's validity des- 
ignation for all other storage banks to an invalid state 
if the keys do not matoh; 

wherein access under the current aypto- 
graphic key Is limited to that provided by access 
rights contained In storage banks having a validity 
designation for that key in a valid state. 

7. Apparatus in accordance with daim 6 wherein; 

said processor maintains first and second dif- 
ferent cryptographk: keys under which access rights 
are authenticated; ' 

a first validity designation is maintained for 
. said first key and a second validity designation is 
nrtaintairied foi; .said second key for each of said 
banks;arid ; ^ \ 

access via a particular one of said keys is 8m- 
ited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
^te fa that key. 

8. Apparatus in accordance with daim 6 a 7 wherein 
a replacement is provkied for one of saki first and 
second keys.together with one or mae sut>groups 
authenticated under said replacement, saki appara^ 
tus further comprising:! . 

means fa storing each of the 8ii)groups 
transmitted with saki replacement key in a corre- 
sponding one of said storage bante; 

means for setting the validity designation for 
the replacement key to a valid state for those staag e 
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baniG holding a subgroup authenticated under the 
replacement key; 

means for setting the validity designation for 
the replacement key to an in^id state for those stor- 
age banks holding a sut)group that %vas not authen- 5 
ticated under the replacement key; 

means for setting the validity designation for 
the key that was not replaced to a valid state for 
those storage banks holding a subgroup authenti* 
cated under that key; and 70 

means for setting the validity designation for 
the key that was not replaced to an invalid state for 
those storage banks holding a subgroup that was 
not authenticated under that key. 
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